RewriteEngine on
RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
#Alias /ui /usr/share/ipsilon/ui
Alias /ui /usr/share/ipsilon/themes/Fedora
Alias /.well-known /var/lib/ipsilon/root/public/well-known
Alias /cache /var/cache/ipsilon
Redirect /.well-known/webfinger /webfinger

# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
RewriteEngine on
RewriteMap lowercase int:tolower
{% if env == "staging" %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_\.-]+\.id\.stg\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9_\.-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% else %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_\.-]+\.id\.fedoraproject\.org$
RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
RewriteRule ^([a-z0-9_\.-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
{% endif %}


WSGIScriptAlias / /usr/libexec/ipsilon/ipsilon
WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=6 threads=2 maximum-requests=1000
WSGISocketPrefix run/wsgi
#WSGIRestrictStdout Off
#WSGIRestrictSignal Off
# This header is required to be passed for OIDC client_secret_basic
WSGIPassAuthorization On
# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails
# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190
WSGIApplicationGroup %{GLOBAL}


<Location />
    WSGIProcessGroup ipsilon
</Location>

<Directory /usr/libexec/ipsilon>
    Require all granted
</Directory>

<Directory /usr/share/ipsilon>
    Options +SymLinksIfOwnerMatch
    Require all granted
</Directory>

<Directory /var/lib/ipsilon/root/public/well-known>
    Require all granted
</Directory>

<Location /.well-known/browserid>
    ForceType application/json
</Location>

<Location /login/gssapi/negotiate>
    AuthName "GSSAPI Single Sign On Login"
    GssapiCredStore keytab:/etc/krb5.HTTP_id{{ env_suffix }}.fedoraproject.org.keytab
    AuthType GSSAPI
    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
    GssapiSSLonly Off
    GssapiLocalName on
    Require valid-user
    ErrorDocument 401 /login/gssapi/unauthorized
    ErrorDocument 500 /login/gssapi/failed
</Location>

LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule authnz_pam_module modules/mod_authnz_pam.so

<Location /login/form>
  InterceptFormPAMService ipsilon
  InterceptFormLogin login_name
  InterceptFormPassword login_password
  # InterceptFormLoginSkip admin
  # InterceptFormClearRemoteUserForSkipped on
  InterceptFormPasswordRedact on
</Location>

<Directory "/var/cache/ipsilon">
  SetHandler None
  AllowOverride None
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from All
  </IfModule>
</Directory>
